DMARC Not Implemented by Most Federal Agencies: Report

The U.S. Department of Homeland Security (DHS) recently ordered all federal agencies to start using DMARC, but currently only a small percentage have fully implemented the system, according to a report from security firm Agari.

The DHS’s Binding Operational Directive (BOD) 18-01 orders all federal agencies to implement web and email security technologies such as HTTPS, DMARC, SPF/DKIM and STARTTLS in the coming months.

DMARC, which stands for “Domain-based Message Authentication, Reporting and Conformance”, is an authentication, policy, and reporting protocol designed to detect and prevent email spoofing. Organizations using DMARC can specify what happens to unauthenticated messages: they can be monitored but still delivered to the recipient’s inbox (“none” setting), they can be moved to the spam folder (“quarantine” setting), or their delivery can be blocked completely (“reject” setting).

Federal agencies have been given 90 days to roll out DMARC with at least a “none” setting. Within one year, they will have to fully implement the protocol to ensure that malicious emails are blocked.

Agari has used its DMARC Lookup Tool to check 1,300 domains owned by federal agencies and determined that nearly 82 percent lack DMARC entirely. Roughly nine percent have fully implemented the system (i.e. quarantine or reject), while the other nine percent only monitor emails (i.e. none).

Agari monitors 400 government domains and noticed that nearly 90 percent of them were targeted with fraudulent or unauthorized emails between April and October 2017. Of the more than 336 million emails apparently sent from these domains during that timeframe, more than 85 million, representing roughly a quarter of the total, failed authentication due to being fraudulent or for some other reason.

“DMARC has proven incredibly effective at combating phishing across billions of emails daily,” said Patrick Peterson, founder and executive chairman of Agari. “This DHS directive is an important step to protect our government, businesses and citizenry from cybercrime.”

“We would like to recognize Agari’s customers that pioneered DMARC in the federal government including the U.S. Senate, Health and Human Services, Customs and Border Protection, U.S. Census Bureau, Veterans Affairs and the U.S. Postal Service. We hope their leadership and experience serves as a resource for best practices among their government peers who are beginning this journey,” Peterson added.

Eduard Kovacs is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.